How to allow access to file only to users with ip which are in a range of ip addresses?
For example file admin.php. and range from 0.0.0.0 to 1.2.3.4.
I need configure access to only ONE file not to directory.
Just add a FilesMatch or Files directive to limit it to a specific script.
The following would block acces to all scripts ending in "admin.php" :
<FilesMatch "admin\.php$">
Order deny,allow
Deny from all
Allow from 10.0.0.0/24
</FilesMatch>
The following would ONLY block admin.php :
<Files "admin.php">
Order deny,allow
Deny from all
Allow from 10.0.0.0/24
</Files>
For more information refer to the apache docs on Configuration Sections.
check the man page of the Allow Directive
Order Deny,Allow
Deny from all
Allow from 10.1.0.0/255.255.0.0
A partial IP address
Example:
Allow from 10.1
Allow from 10 172.20 192.168.2
The first 1 to 3 bytes of an IP address, for subnet restriction.
A network/netmask pair
Example:
Allow from 10.1.0.0/255.255.0.0
A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.
A network/nnn CIDR specification
Example:
Allow from 10.1.0.0/16
Similar to the previous case, except the netmask consists of nnn high-order 1 bits.
You cannot match an IP range with allow, but you can emulate it with a CIDR notation:
Order allow,deny
# 0.0.0.0 - 0.255.255.255.255
Allow from 0.0.0.0/8
# 1.0.0.0 - 1.1.255.255
Allow from 1.0.0.0/15
# 1.2.0.0 - 1.2.1.255
Allow from 1.2.0.0/23
# 1.2.2.0 - 1.2.2.255
Allow from 1.2.2.0/24
# 1.2.3.0 - 1.2.3.3
Allow from 1.2.3.0/30
# 1.2.3.4
Allow from 1.2.3.4
Just do this for a single IP:
<Limit GET POST>
order deny,allow
deny from all
allow from 1.2.3.4
</Limit>
If you want to do it for a range like 10.x.x.x, then do this:
<Limit GET POST>
order allow,deny
allow from 10
deny from all
</LIMIT>
If you are using WordPress, then the Best and Simplest method is to install the plugin - LionScripts : WordPress IP Blocker from their website http://www.lionscripts.com/ip-address-blocker
Their Professional version has much more features like country blocking and IP range blocking, bulk csv uploading etc.
if you to provide a wildcard 0.0.255.255
Order allow,deny
# 1.2.0.0 - 1.2.255.255
Allow from 1.2.0.0/16
This will give a range from 1.2.0.1 - 1.2.255.254
you can also check here
I wanted to redirect all but cetain Ip's to a maintenance page - our IPs all on same network - The following worked based on shamitomar's answer above :
# TEMP MAINTENANCE PAGE
# MAINTENANCE-PAGE REDIRECT
<IfModule mod_rewrite.c>
RewriteEngine on
# One address that is on a diffrent network
RewriteCond %{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx
#allow all addresses from our network
RewriteCond %{REMOTE_ADDR} !^xx\.xxx
#Stuff to allow so that we can show our maintenance page while we work
RewriteCond %{REQUEST_FILENAME} !(styles|images).+$
RewriteCond %{REQUEST_URI} !maintenance.html$ [NC]
RewriteCond %{REQUEST_URI} !\.(jpe?g?|png|gif|js|css|ttf|woff) [NC]
RewriteRule .* /maintenance.html [R=302,L]
</IfModule>
Order Deny,Allow
Deny from all
Allow from 311.311.311 322.322.322.322
See answer here
Related
I want to deny direct access to all files, except one: go.php.
I've read this question, but in my case it doesn't work because I send also a GET parameter.
That means that all files should be denied, except when trying to go to www.domain.com/go.php?code=xyz123.
My code now:
Order Allow,Deny
deny from all
allow from [my IP here]
<FilesMatch "go.php">
Allow from all
</FilesMatch>
How can I fix it?
Thanks!
EDIT 1
I updated the code to:
<Files go.php>
Allow from all
</Files>
Now it does allow if the url is domain.com/go.php?code=123. The thing is that I use pretty URLs with this rewrite condition:
RewriteRule ^go/([a-z0-9]+)$ /go.php?code=$1
RewriteRule ^go/([a-z0-9]+)/$ /go.php?code=$1
So, the above Files code does not work if the url is domain.com/go/123. How to fix this?
Since this is just one specific file, you don't need FilesMatch, but can use Files instead
<Files go.php>
...
</Files>
Rewriting from /go/123 to /go.php?code=123 is a classic. You capture the part for the query string and use it in the substitution
RewriteRule ^go/(.+)$ /go.php?code=$1 [L]
I didn't expect <Files go> or <FilesMatch go> to work, because "/go/123" isn't a file in the strict sense.
So despite my ignorance an additional
<Files go>
Allow from all
</Files>
works.
As an alternative, you can use If and check for the requested URL path
<If "%{REQUEST_URI} =~ m,^/go/,">
Allow from all
</If>
Problem solved:
<FilesMatch "go|go.php">
Allow from all
</FilesMatch>
Thank you all!
I would like to block a path from my site using the .htaccess configuration. The idea is that only a specific set of IP's can access that specific path from the URL after they authenticated using basic auth.
Note: It's a path, not a page or directory. We are trying to shield off a web-service so there will be only post calls to the URL's.
I would like the url example.com/rest to be blocked and everything behind that url based on IP. So example.com/rest/foo and example.com/rest/foo/bar should be blocked.
All other paths from the application should remain functional and without basic auth.
The IP blocking part has been resolved in a previous question I asked.
The basic configuration (the blocking part, there is more in the .htaccess but is not relevant to this question.) you can find below.
SetEnvIf Request_URI "/rest(/.*)?$" rest_uri
# Check on what subdomain we are.
SetEnvIf Host ^local\. None_Prod_Env
# Static
SetEnvIf AH_CLIENT_IP ^123\.123\.123\.123$ Allow_Host
# Range
SetEnvIf AH_CLIENT_IP ^123\.123\.123\. Allow_Host
Order deny,allow
Deny from all
Allow from env=!rest_uri
Allow from env=Allow_Host
Allow from env=None_Prod_Env
So the configuration above blocks all access to /rest/* but not to non rest paths, it allows a user coming from IP X (Allow_Host variable) and we allow none production environments in this case local.
I tried to extend this functionality with basic auth like so:
SetEnvIf Request_URI "/rest(/.*)?$" rest_uri
SetEnvIfNoCase Request_URI "/rest(/.*)?$" require_auth=true
# ... Allow Host stuff and none prod stuff ...
Order deny,allow
Deny from all
Allow from env=!rest_uri
Allow from env=Allow_Host
Allow from env=None_Prod_Env
AuthName "Password Protected"
AuthType Basic
AuthBasicProvider file
AuthUserFile /var/www/html/.htpasswd
Require valid-user
However this resulted in a basic auth on all pages and not only for the /rest/* url. I played a lot with it but couldn't figure it out. Changing SetEnvIfNoCase to SetEnvIf also didn't help.
Note: Our server is running apache 2.2.22.
You can solve this complex problem using a combination of few Apache directives i.e. mod_dir, mod_setenv and mod_auth_basic:
SetEnvIf Request_URI ^/rest(/.*)?$ rest_uri
# Check on what subdomain we are.
SetEnvIf Host ^local None_Prod_Env
# Static
SetEnvIf AH_CLIENT_IP ^123\.123\.123\.123$ Allow_Host
# Range
SetEnvIf AH_CLIENT_IP ^192\.168\. Allow_Host
RewriteEngine On
# block if request is /rest/* and IP is not whitelisted and not localhost
RewriteCond %{ENV:rest_uri} =1
RewriteCond %{ENV:None_Prod_Env} !=1
RewriteCond %{ENV:Allow_Host} !=1
RewriteRule ^ - [F]
# ask auth for /rest/* && NOT localhost && whitelist IP
AuthType Basic
AuthName "Password Protected"
AuthUserFile /var/www/html/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from env=!rest_uri
Allow from env=!Allow_Host
Allow from env=None_Prod_Env
Satisfy any
Try and add satisfy any to your code. Give it a try this way.
SetEnvIf Request_URI "/rest(/.*)?$" rest_uri
SetEnvIf Referer "^http://local\.example\.com/" None_Prod_Env
AuthName "Password Protected"
AuthType Basic
AuthBasicProvider file
AuthUserFile /var/www/html/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from env=!rest_uri
Allow from env=Allow_Host
Allow from env=None_Prod_Env
Satisfy any
I would like to block a path from my site using the .htaccess configuration. The idea is that only a specific set of IP's can access that specific path from the URL.
Note: It's a path, not a page or directory. We are trying to shield off a web-service so there will be only post calls to the URL's.
I would like the url example.com/rest to be blocked and everything behind that url based on IP. So example.com/rest/test_service and example.com/rest/test_service/read should be blocked.
All other paths from the application should remain functional.
What I've tried the following but it doesn't seem to work. Not a single page is accessible like this.
SetEnvIf Request_URI "/rest$" rest_uri
<RequireAll>
Require env rest_uri
<RequireAny>
Require ip XXX.XXX.XXX.XXX
</RequireAny>
</RequireAll>
I've tried different things but none of them seem to work. Any help is appreciated.
You can use mod rewrite to allow a spacific ip address
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !YourIP$
RewriteRule ^/?rest - [F]
This will return 403 forbidden error for all other ip addresses if /rest or /rest/foobar is accessed.
You can use directives like this to allow an IP range for certain URL:
# set env variable if URL is /rest or /rest/
SetEnvIf Request_URI "/rest(/.*)?$" rest_uri
Order deny,allow
# first deny all
Deny from all
# then allow if env var is not set
Allow from env=!rest_uri
# also allow your IP range
Allow from 10.1.0.0/16
Please can you tell me in Apache2 how I can restrict a url to my IP address when the url is generated as a script. For example:
example.com/?admin
I have tried Location Match but no joy:
<LocationMatch /?admin>
Order Deny,Allow
Allow from [MY IP]
Deny from all
</LocationMatch>
You could use mod_rewrite to match the %{QUERY_STRING} and disallow anything that's not empty, unless it's from your IP. Check the wiki for examples.
I'd like to deny multiple files through htaccess.
<FilesMatch (profile|reg|register|..............|)\.php>
order allow,deny
deny from all
</FilesMatch>
I have lots of files (6 folders with like 30 files each) that I want to deny access to, so using the method above by entering them one by one will take time.
Could I deny access to all files in the folders like this?
<Directory /www/php/login/pages>
Order Allow,Deny
</Directory>
To multiple
<FilesMatch "(foo|bar|doo)\.php$">
Deny from all
</FilesMatch>
or go for rewrite rules (RewriteEngine On)
RewriteRule \.(psd|log)$ - [NC,F]
To deny access to all files in the folders:
rewriteRule ^www/php/login/pages - [NC,F]
or simply place a `Deny from all' directly in that folder...
Update 2015: Using Apache 2.4 or higher, the `Deny from all' would needs adjustment.
You would need to add "deny from all" like your initial approach, but yes you can.
Scroll down in the documentation for the syntax you are looking for: http://httpd.apache.org/docs/2.2/mod/core.html#directory